[ale] How LDAP works with authentication

Christopher Fowler cfowler at outpostsentinel.com
Tue Oct 11 20:36:09 EDT 2005 

Aler's

I'm getting ready to implement LDAP support in our product.  I'm very
new to LDAP and I've got a question about how LDAP works internally for
user authentication.  

When a system requests a user record from the LDAP database does that
system also return the user password?  

In unix when a user logs into the system the software that is doing the
authentication uses getpwnam() to retrieve the /etc/passwd record for
that user.  One thing that is returned is the one-way encrypted
password.  So a program lik /bin/login will typically authenticate a
user via this process:

1.  Ask for username.
2.  Ask for password.
3.  use getpwname() to retrieve all
    user details like uid,gid,shell,full name, and password
4.  uses the crypt() function to encrypt the password supplied
    by the user using the salt of the stored password.
5.  uses strncmp() to compare the encrypted password and the
    stored encrypted password. If the password supplied was
    encrypted using the same salt as the store password then
    they should match.
6.  Exec struct passwd->shell.


What I plan to do is to implement getldappwnam().  This will be embedded
in my version of getpwnam().  This is so programs like ssh, telnet, web
interface, yada do not have to be modified to support LDAP.  They simply
call getpwnam() as normal and my code then does the right thing.

1.  Check flash for user 'bob'.
2.  If not and LDAP is configured then exec getldappwnam() and
    check for 'bob' in central server.  
3.  If we have a match construct a passwd structure based on data
    received from LDAP server and then return that from getpwnam().


Those that are familiar with the internals of LDAP hopefully can tell me
if this plan will work.  I did the exact same thing when we added radius
support.  The real apps always execute getpwnam().  Then if there are no
users on flash to match and radius was configure getradpwnam() would
then attempt to retrieve radius data.

The only problem I see is that we support what we call ACL's.  These are
extended attributes or user groups that give the users specific access
to ports, power control, etc.  Is is possible for LDAP to store that
data to and we can fetch that?  

One idea and I know someone here will mention it is to execute a PAM
like system.  There is no room for PAM on these devices.  Plus we would
have to modify PAM to support our storage of configuration. Our device
is embedded Linux but it is not a flash chip with a distro installed
like many embedded devices.  It has a real embedded design and relies on
no files to store things like user accounts, port configuration, etc.
Configuration is on one place in flash not littered all over the place
in /etc. 


Chris

More information about the Ale mailing list